Re: Beginners error: Hewlett-Packards driver software executes rogue binary C:\Program.exe

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

"Michal Zalewski" <lcamtuf-QTaIpnqiE1Ffq8cQ1yknNg () public gmane org> wrote:

> > the existence of "C:\Program.exe" must not have any bad affect
> > for any random installer not intending to execute this
>
> Sounds like a good goal.

Yes. Not just for any random installer, but for any Windows program.

<http://msdn.microsoft.com/library/cc144175.aspx>
<http://msdn.microsoft.com/library/cc144101.aspx>

| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks.
             ~~~~
[...]

> Now, in practical terms... in absence of a plausible risk / attack
> vector, it doesn't sound like much of a security issue (unless you
> adopt the approach advocated on the predecessor of this list by Mr.
> Lemonias).

The plausible risk / attack vector is the same as used/shown in
<http://cwe.mitre.org/data/definitions/428.html>
<http://www.tenable.com/sc-report-templates/microsoft-windows-unquoted-service-path-enumeration>
<https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464>

JFTR: there is no real difference between vertical and horizontal
      privilege escalation.

Stefan

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/